Monthly Archives: August 2011

With all recent reports of company servers being hacked and usernames/passwords of their customers being released into the wild the topic of security has been on my mind a lot lately, particularly passwords. I’ve read a number of articles over the years on how to create secure, easy to remember passwords and I’m going to do my best to sum up all that work together in one place. I’m going to try to keep this non-technical where I can, although I’ll include links for anyone who wants to read up on a topic some more.

Words

The first topic to cover is using words for your password, namely don’t. Sure you can use them in certain cases, which I’ll explain later, but the general rule is not to use them. One of the first techniques people use to guess your password is a method known as a dictionary attack, which is when a hacker runs through every word that you’d find in your average English dictionary to see if you’re using it as your password. These attacks also typically include the names of people, films, books, songs or anything else you might encounter during day-to-day life. In short, don’t use them. This type of attack typically takes a matter seconds to run through several thousand different possible passwords, and your account can be cracked open as easy as anything. This also applies to other popular and predictable combinations, like typing “leet” versions of words by switching the letters and numbers around, or using phrases such as “123456”, “password” or the entire top row of your keyboard.

Not much better is when you use words that, while might not be particularly well-known, relate to you personally. Having your mother’s maiden name or the name of your first pet might seem like a good idea, but then anyone who knows much about you could easily find it out, and it only takes one person trying it to get into your accounts. Heck, there’s plenty of forum games out there which get you to put together these very things to make your “Film star name”, “Porn star name” and the like. This can also go for using them as answers for your security questions for those times when you forget your passwords, but I’ll come to those later.

Characters

The other more popular method is by trying every possible combination of characters until you encounter one that works. This is known as the “Brute Force” method. Certain websites and programs counter this by blocking a user who enters an incorrect password too many times. For those that don’t have this feature though, your password WILL eventually be cracked, it’s just a matter of time. Thankfully there are ways to extend the time it takes to do so with relatively little effort. The fastest way to do a brute force attack is to assume that a user is only using lower-case characters (a-z), which gives you 26 different possibilities for each character of the password. By putting in just a single capital letter somewhere in your password this increases the number of possibilities for each character to 56. This is because a hacker has no way of knowing what type of characters you’re using within your password, all they know is whether it’s right or wrong. You can further complicate things for them by adding a single number (which increase the number of possibilities to 66) and any special symbol from your keyboard. The keyboard I’m using now has 36 special symbols that I can see, and a bunch more that don’t, but let’s assume 36 for now to keep things simple. That means that by taking a password written in all lower-case letters then using adding just a single upper-case letter along with a number and a symbol any program used will have to run through 102 different combinations for each character. Sure this may not seem like much, being barely 4 times larger than the original 26 different possibilities, but that’s before we take length into account.

Length

When using the Brute Force method to crack passwords there’s no special technique to doing so other than going through every single combination of letters, numbers and symbols, and every additional character you add to that makes it that much more difficult to crack. For every extra character you add to the password you multiply the number of possible combinations by the number of different types of characters you’re using. To keep the maths simple I’m not going to be exact, but as I’m going to fudge the numbers the same way every time you’ll still be able to see the difference. Let’s take the password “asdgsdgd” for instance. It’s an 8 letter password composed entirely of lower case letters. There’s 26 different letters in that set, so there’s 26^8 different possibilities for that type of password (208’827’064’576 or slightly over 208 billion). Sure that might seem a lot already, but let’s try making just a few changes to it. “asdgsD1?” now features lower and upper-case letters, numbers and symbols. This brings the number of possibilities up to 102^8 different possibilities (11’716’593’810’022’656 or 11 quadrillion). By changing just these 3 characters we’ve suddenly made the password roughly 50’000 times harder to crack. There’s no real upper limit on how many characters you can use really, but a lot of websites impose a limit, so you’re best sticking to a reasonably lengthy password without going too overboard, say 16-20 characters or so. What? You can’t memorise a 20 character password like “dobGFd’2fv43t’g34RDx”? Neither can I, which brings me onto the next topic.

Complexity
Having a hard to remember password doesn’t make it hard to crack. When cracking a password the only things that matter are the length of the passwords and what types of characters you’re using. So “gsd5V#3d>s” is about as complex as “”, which is far, far easier to remember. You’ll remember earlier I recommended not using common words that you could find in a dictionary. Well by combining it with a combination of upper-case, lower-case letters numbers AND symbols you can mostly ignore that rule. Better though is to use multiple words that don’t necessarily belong together while at the same time including other characters to separate them. Take “99_Elephants_Hate_Cucumbers” for example. Incredibly simple to remember, nobody would ever randomly guess it, unless it’s a phrase you just happen to have written next to your PC, and it’s long enough that it’s never going to be cracked by a desktop computer during your lifetime. Ultimately the killer here is length, and believe it or not, the password mentioned above is just as complex as using “D0g……………………”. If you have all these things covered already, then there’s only one thing standing between you and a highly secure password.

The weakest link

Let’s say you’ve got a wonderful 50 character password using a variety of different letters, numbers and symbols that can’t be found in a dictionary, doesn’t relate to you personally and you don’t have written down anywhere. This is still only as secure as the place you use it, which as recent hacks have shown are occasionally stored in a plain text format, allowing people to just copy it from the server and simply paste it into the password field of any other website or online service you might use. The key here is to make each password slightly different in a way that’s not particularly obvious, but you can still easily remember.

Let’s take http://www.google.com for example. First decide what the main part of your password will be, such as “!Rabbits_Eat_100_Balloons!” or “8Pineapple//////////////”. Then find a way to incorporate part of the web address in into your password. This could be taking the first and last letters then adding them to the beginning and end of your password, making “g!Rabbits_Eat_100_Balloons!e” or “g8Pineapple//////////////e”. Better yet, be sneaky and add use the key just to the right of where that letter appears on your keyboard so you instead get “h!Rabbits_Eat_100_Balloons!r” or “h8Pineapple//////////////r” which make it even more unpredictable to anyone who manages to get hold of several of your passwords.

Even better is to prefix a certain number of characters to the beginning of your password based on how long the URL is. Maybe take the total number of letters in the title (6 for google in this case) and add that number plus 2 dots to the beginning.

There’s no hard and fast rule for what to do here as if everyone used the same method then it become a recognisable pattern that could be worked into hackers attempts to crack them. The best thing to do is find something that a password and a technique that works for you. And then the most important tip, is not to tell ANYONE your password. Not me, your friends, your parents, that nice man on the internet who needs it so he can give you some uber-cool items in World of Warcraft. Sure you might be able to trust them to not screw you over (except maybe that guy on the web), but if you’re letting other people know your password then it defeats the purpose of having one in the first place. The same goes for downloading and running files and programs from certain disreputable sites and following strange links that appear on Facebook. Sure you might want to really see what that drunk girl did that was so stupid your grandmother just HAD to show you it, but if you get your machine infected then it’s just as bad as sticking your usernames and passwords up on the notice board at university. Nobody’s perfect and everyone gets infected from time to time, just think twice about a link before you click it, even when it’s from a friend who you trust. Many viruses like to spread via Facebook and Instant Messenger programs, so your friend might not even realise they’ve sent it to you.

http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html – This goes into detail on a more advanced form of hacking, using a technique known as hash tables. If you’ve followed the rules I’ve laid out in here you’ll be fine, but it does a grand job of explaining how shorter passwords are even less secure than they may seem.